On Sun, May 25, 2003 at 09:23:44AM +0200, Christoph Hellwig wrote:
> On Sun, May 25, 2003 at 01:11:44AM -0400, Matt Zimmerman wrote:
> > > Then read through the prepatch diffs, everything adding checks to
> > > ioctl methods or similar is likely one them.
> >
> > This approach does not scale.
>
> Right, you got it. Similarly it doesn't scale to announce all these bits.
> Just take the latest upstream if you want these kinds of fixes.
No, that is not similar. All those bits are changed by many different
people, not one, and even if they weren't, it is easier (by a HUGE measure)
for the person who has made the change to announce it to others, as they are
already aware and do not need to sift through a single diff, much less the
entire kernel tree as you suggested that I do.
This is analogous to someone dropping a particular leaf into a huge pile of
leaves, and suggesting that it makes more sense for me to search the pile
than for them to tell me where they dropped it (or show it to me in the
first place).
This is not a question of what I want. Either our users need these fixes to
maintain the security of their systems (in which case Debian needs these
fixes, and they are important enough to be announced publicly), or they do
not, and they are not worth talking about.
> This is how every bigger upstream (and other projects like OpenBSD) work.
Apache? XFree86? KDE? Mozilla? OpenWall? glibc? All of these projects
manage to enumerate security fixes.
OpenBSD fails miserably in this respect, and makes for an example of how NOT
to work with the community on security issues. Their approach is, roughly,
"we fixed this a while ago but didn't tell anyone, so you're vulnerable and
we're not, ha-ha-ha".
--
- mdz